Google plans to release a firmware update for certain Pixel phones after a report that the phones contain an insecure Android Package (APK) at the system level that could potentially be exploited to install malicious apps.
Mobile security company iVerify disclosed its analysis of the package, Showcase.apk, on Thursday in a report co-authored by security consultants from Trail of Bits and a member of the cyber incident response team from data analytics firm Palantir Technologies.
The iVerify team discovered the APK after it was flagged by the company’s endpoint detection and response (EDR) solution on an Android device belonging to Palantir Technologies.
Further analysis of Showcase.apk by iVerify, along with a technical security analysis conducted by Trail of Bits in early May 2024, found that the software runs with high, “system-like” privileges, retrieves its configuration file from a single domain over unsecured HTTP, contains flawed code that could enable verification bypass and appears to be installed on a large percentage of Pixel devices, according to the report.
“Showcase.apk appears to be present on every single Pixel sold worldwide since 2017. We have reason to believe this package may be installed on other Android models, and Google has indicated the same,” iVerify Chief Operating Officer Rocky Cole told SC Media.
A Google spokesperson said in an email to SC Media that the APK is not present on Pixel 9 series devices and that the company plans to remove the package from all supported, in-market Pixel devices in an upcoming software update “out of an abundance of precaution.”
“This is not an Android platform nor Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer being used,” the Google spokesperson stated. “Exploitation of this app on a user phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation.”
Google said it would also notify other Android original equipment manufacturers (OEMs) about the APK and noted that the Showcase application is owned by Verizon and required on all Android devices sold by Verizon.
SC Media reached out to Smith Micro Software, which developed the APK code, and also contacted Verizon, and did not receive a response from either company.
Showcase.apk vulnerable to man-in-the-middle attacks, researchers say
Showcase.apk was developed by Smith Micro to enable phones to be used for in-store demonstrations at Verizon locations. While the APK comes embedded into the firmware of many Pixel phones — potentially millions, according to iVerify — it is not active by default and can only be activated by someone with physical access to the phone, according to Google.
The researchers at iVerify and Trail of Bits discovered multiple issues with the Showcase APK that could allow it to be exploited for remote, malicious app installations, given that Showcase is already active on the target device.
Firstly, Showcase runs with “excessive” privileges, the researchers stated in their report, which enables it to install and delete packages on the device. Secondly, the package retrieves a configuration file from single AWS-hosted command-and-control domain at a predefined URL over unencrypted HTTP, making it potentially vulnerable to man-in-the-middle (MITM) attacks.
Lastly, while the config file does have a signature that is validated against the root.der file stored in the APK, which would ordinarily prevent MITM attacks, a flaw in the verification code makes it possible to bypass this validation.
Trail of Bits’ technical report detailed how the config file may contain the fields “payload” and “payload_gzip” but that only one of these fields must match the signature validation in order to be accepted. Thus, an attacker could inject their own code into one of these fields, and the file will still be accepted based on the valid signature in the other field.
The Trail of Bits team tested and confirmed the possibility of a MITM interception using the Burp Suite tool to simulate the retrieval and injection of a valid config file with a malicious version on a device running Showcase.
By exploiting these vulnerabilities, an attacker could leverage Showcase’s privileges to install their own malicious APKs.
iVerify COO describes breakdown of communication with Google after report
These issues were reported to Google by iVerify following Google’s 90-day disclosure process, and Cole said Google acknowledge the report, initially classifying the severity of the vulnerability as “high.”
“However, as the investigation progressed, their communications deteriorated to the point where they ignored four straight communications from us as we were seeking to coordinate our disclosure, and to date, have been unable to provide a specific timeframe for when a patch will go live, nor have they directly shared any information with us regarding the original functionality of the package or how they plan to fix it,” Cole said.
When asked why iVerify reported the issue to Google rather than the code’s original developer, Smith Micro, Cole said he felt that its prevalence among Pixel devices warranted action from Google.
“The code itself, which was shoddy, was written by Smith Micro, but Pixel is ultimately a Google platform. Google made a business decision to implant an apparently unreviewed third-party code deep in Pixel’s operating system — so while Smith Micro certainly could have written cleaner code, I think ultimately this is Google’s responsibility to get right,” Cole told SC Media.
Cole also said there “might be multiple methods” to enable Showcase.apk, thus making it vulnerable to MITM attacks, despite it being inactive by default.
“The idea that physical access is required to exploit the package is merely an assumption and a well-resourced threat actor could almost certainly overcome this barrier,” Cole said.
Showcase.apk cannot be removed without firmware update
Due to its integration into Pixel device firmware, Showcase.apk cannot be uninstalled by the user themselves, and requires an update by Google to be removed.
While Google noted that the inclusion of Showcase on all Android devices was a requirement set by Verizon, it is unclear why it was included on all devices rather than a subset to be used as demo phones. It is also unclear why Showcase ran in such a highly privileged context, which was described as “altogether unnecessary for the intended purpose of the application” by iVerify in its report.
As a result of the findings by iVerify and Trail of Bits, Palantir Technologies said it would be removing Android devices entirely from its mobile fleet over the next few years, transitioning instead to Apple devices.
“We’re supporting some of the most important institutions in the Western world. Google embedding third-party software in Android’s firmware without reviewing the quality or security of these apps, and not disclosing this to vendors or users, create significant security vulnerability to anyone who relies on this ecosystem,” Palantir Technologies Chief Information Security Officer Dane Stuckey said in a statement.
Cole told SC Media that while organizations that use Pixel devices with Showcase installed will not be able to remove the APK on their own, he recommended organizations implement mobile EDR platforms to help detect potential attacks exploiting the package and other mobile application vulnerabilities.
Indicators of execution of Showcase.apk are also included in Trail of Bits’ technical report to aid users in analyzing whether the APK may have been active on their device.
“The Showcase.apk discovery and other high-profile incidents, like running third-party kernel extensions in Microsoft Windows, highlight the need for more transparency and discussion around having third-party apps running as part of the operating system,” iVerify wrote in its report summary, making reference to the recent global CrowdStrike outage.
